Saturday, July 21, 2007

silencing the sellout

well, it's been a couple days since i tore anyone a new one so here goes... some of you may be familiar with the mess revolving around the infosecsellout blog (as discussed at these sites 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, not to mention slashdot) but if not, here's my perspective...

to start out, infosecsellout announced the discovery of a remotely exploitable mac vulnerability but he/she/they weren't finished working on it so he/she/they weren't ready to give apple the details yet... nothing new with finding mac vulnerabilities (that is why apple has been releasing security patches after all) but i suppose it was a little pointless to announce the existence of the vulnerability to the community before you're ready to do anything about it for the community...

then infosecsellout wrote a worm that exploited the vulnerability... obviously i'm not going to condone writing malware, but to his/her/their credit at least he/she/they weren't going to release it to the public, only to his/her/their employer - and he/she/they may have had good reason to trust that that employer wouldn't do anything stupid or malicious with the worm so it might have been responsible handling of malware (at least after the fact, though there are better ways to go about proving things)...

then the criticism started rolling in... obviously writing malware for the mac at this stage isn't proving the mac is vulnerable to malware since that was objectively proven some time ago, but the criticism went beyond that... some apparently felt that details should be given to apple when they (rather than the researcher) felt the researcher was ready... others felt (perhaps justifiably) that without proof of the vulnerability and without a reputation to fall back on (an inherent limitation of anonymity) that there was no reason to believe the vulnerability claim was legitimate... ah to be a mac fan...

all that seems fairly civilized so far, but some folks decided they'd rather have infosecsellout shut up and thus he/she/they started receiving death threats... were some of them mac fans? maybe... were some of them security professionals? probably since they implied they'd be at security-related events when they put a bullet in the sellout and buried him/her (no them, since the people making threats didn't seem to consider the fact that they'd need to deal with more than one person)... there are some pretty twisted people in the world and threatening death and/or mutilation over an exploit is pretty despicable, i have to agree with dave lewis on that one... although in usenet i often used to see people wish to see virus writers strung up by their testicles or various other body parts so as sick as it may be perhaps it's more common than anyone wants to admit...

another attack seemingly designed to silence the infosecsellout was an attack against his/her/their identity(/ies)... security professionals, whining about the mean and nasty things infosecsellout has said (oh, boo hoo - toughen up kids, this is the internet not a school playground), tried to out the infosecsellout... first of all, this is a dangerous thing to do to someone who is receiving death threats... were the threats real? it's impossible to know for sure but when it comes to people's lives i think it's probably better to err on the side of caution... second, although it may be true that there is no real anonymity on the internet (especially where security pros are concerned) the same can be said for privacy... anonymity, like privacy, is a luxury we afford each other and we do so because we value these things and want others to afford those luxuries to us... just as privacy is a prerequisite for personal liberty, anonymity is a prerequisite for freedom of speech - and i'm not talking about happy/friendly speech that doesn't need protecting in the first place, it's unpopular speech that anonymity is designed to protect... you should expect to not like unpopular speech, but you should also understand why a free society needs it... i regard those who disrespect anonymity with the same sort of disdain as those who disrespect privacy (like peeping toms or hammer hawks)...

the blog hijacking, had it been a real one like these two from recent memory instead of just fat fingers (so there's an insider threat even in blogging!) and a cooperative blog creator, would have come the closest to shutting him/her/them up... but even when the blog seemed to be gone, infosecsellout was still getting his/her/their voice(s) heard in blog comments so it would seem that the infosecsellout is here for the duration and folks should just get used to it...

if you think the infosecsellout is a troll then act accordingly and stop paying attention to him/her/them... if you don't like the things infosecsellout has to say, just about the worst thing you could do would be to lend credence to those things by trying to silence him/her/them...

(and if you're wondering why i didn't link directly to the infosecsellout blog, or why the blog doesn't appear in my blogroll at the time of writing even though it used to, look no further than the supposedly corrected hijacking [and, i suppose the malware writing]... it's back on my probationary list for now...)

3
comments:

This is all way more drama than I care to get involved in, but infosecsellout hasn't been on my rss feeds for a while not; not that I didn't give them a chance, but there was just something almost useless in their tone of posts that seemed more like someone (young) trying to pick fights and express an opinion more harsh than they maybe could without a pseudonym. It turned me off enough that I removed them a few months ago at least...wish I had paid slight more attention...but again, that's drama avoided.

Anyway, no matter who it is or the effects/news/drama around it, I hope the people making threats didn't mean it any more than normal immature over-the-top-to-make-a-point insults on the nets, and I hope no one's jobs or lives have been too negatively impacted by all this crap.

to each their own... i wasn't exactly hanging off their every word either, but the blog struck a chord on occasion...

"there was just something almost useless in their tone of posts that seemed more like someone (young) trying to pick fights and express an opinion more harsh than they maybe could without a pseudonym."

well, that's kind of the point of anonymity, isn't it... to have the freedom to express your true feelings about something without fear of reprisal... maybe the message in question is useless or maybe it isn't - unfortunately there's no objective yardstick to measure the quality of these things...

"I hope no one's jobs or lives have been too negatively impacted by all this crap."

Some of the threats and "carrying-on" are so predictable. When poked about being vulnerable, the Mac community say "show us, then". Now that someone has, they go nuts.

I'm a mac user myself these days and I see a lot of this. All hardware and software sucks to some degree in my experience, but the reality distortion field stops some people from seeing that.

Microsoft, for all their faults, seem to be much more mature than Apple in their response to security incidents. As much as people criticise Microsoft's processes here, they're scoring much higher than Apple when it comes to talking about the impact of vulnerabilities, which patches are urgently needed, steps you can take to mitigate threats in the meantime, etc. Remember, I'm not claiming MS are perfect - they don't need to be just to beat Apple at this game I'm afraid.

I got a (very mild) flaming in mac newsgroups for trying to talk about the last vulnerability that got made public, and here we are with an actual worm and acres of childish death threats and badly spelt profanity.

Some of these people really do think they're living in Walt Disney's magic castle or something and any attempt to bring reality in just isn't welcome.